From 941133a42bad6a1d73c63913a950d1e4bc814fde Mon Sep 17 00:00:00 2001
From: Dominik Orliński <d.orlinski@samsung.com>
Date: Mon, 17 Jun 2019 11:53:38 +0200
Subject: Fix sql injection vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use a variable binding instead of concatenation.
Change test 'getAppRolesForNonCentralizedPartnerAppTest'.

Issue-ID: OJSI-174
Signed-off-by: Dominik Orliński <d.orlinski@samsung.com>
Change-Id: Ia75da49ed582836a47b5fdcddab62fbe02e36e72
---
 .../onap/portalapp/portal/service/UserRolesCommonServiceImpl.java    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'ecomp-portal-BE-common/src/main')

diff --git a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
index 5d9761ce..a26c6ef3 100644
--- a/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
+++ b/ecomp-portal-BE-common/src/main/java/org/onap/portalapp/portal/service/UserRolesCommonServiceImpl.java
@@ -564,8 +564,9 @@ public class UserRolesCommonServiceImpl  {
 									"syncAppRoles: There is exactly 1 menu item for this role, so emptying the url");
 							@SuppressWarnings("unchecked")
 							List<FunctionalMenuItem> funcMenuItems = localSession
-									.createQuery(
-											"from " + FunctionalMenuItem.class.getName() + " where menuId=" + menuId)
+									.createQuery("from :name where menuId=:menuId")
+									.setParameter("name",FunctionalMenuItem.class.getName())
+									.setParameter("menuId",menuId)
 									.list();
 							if (funcMenuItems.size() > 0) {
 								logger.debug(EELFLoggerDelegate.debugLogger, "got the menu item");
-- 
cgit 1.2.3-korg